Enhanced eHR Security 04.07.17
The following details the enhancements that are included in the April 7, 2017, patch for eHR Security.
Email Address Requirement in Workforce Administration
Because identity verification will be based mainly on emailing users with links to verify their identities, eHR now requires each user to have a primary email address identified in new world ERP Workforce Administration for all account activations or changes to login credentials:
Human Resources > Workforce Administration > Search > Employee > Personal > Email Addresses
If a user does not have a primary email address identified in Workforce Administration and tries to activate or update an eHR account, a message will display, saying a primary email address cannot be found on record:
eSuite HR Portal > My Account link
An eHR administrator who attempts to update a user’s information from the Employee Account Management page will receive the same message:
new world Administration > eHR > eEmployee > Employee Account Maintenance
Note: While updating a Username and Password requires a primary email address to be identified in Workforce Administration, locking or deactivating an eHR user’s account does not.
Customizable Email Templates
Email notifications requiring users to verify their identities using links embedded in the notifications will be sent during the following events:
- Account creation
- Password reset
Email notifications alerting users of changes to their profiles but not requiring identity verification will be sent during the following events:
- User account activation
- User account deactivation
- User account lock
- Account credentials updated through eHR or eAdministration
Customizable email templates for these notifications have been added to the Email Template Setup page in new world ERP:
Maintenance > new world ERP Suite > System > Email Templates
Password Reset
To view or modify the template for an eHR user’s password reset, select Human Resources – eSuite Security – Password Reset in the Template field:
The default template contains the following tags:
- [FirstName]
- [RequestDate]
- [ExpirationDate]
- [FullName]
- [LastName]
- [ResetLink]
The template also contains a link that will take the recipient to the Maintain My Account page in eHR to complete the password reset process.
Account Creation Request
To view or modify the template for activating an eHR user’s account, select Human Resources – eSuite Security – Account Creation Request in the Template field:
The default template contains the following tags:
- [FirstName]
- [Request Date]
The template also contains a link that will take the recipient to the Activate Your Account page in eHR to complete the account activation process.
Account Information Updated
To view or modify the template for updating an eHR user’s account, select Human Resources – eSuite Security – Account Information Updated:
The default template contains the following tags:
- [AccountInformationChangeType]
Depending on the eHR account activity, this tag will be replaced with added, activated, deactivated, locked or updatedin the body of the actual email.
- [FirstName]
- [Full Name]
- [Last Name]
- [Request Date]
Activating an Account in eHR
The eHR account activation process has been enhanced to send an activation email when a user first attempts to log in. The user must use the link in the email to complete the activation process.
A user who clicks the Activate Your Account link on the Employee Login page of the eSuite HR Portal will be asked to verify his or her identity with a last name and SSN:
When the user clicks CONTINUE, eSuite will determine whether the last name-SSN combination matches a valid user account, then will grab the user’sprimary email address in Workforce Administration and, using the Account Creation Request template from the Email Template Setup page in new world ERP,send an email with a link the user will need to click to complete the activation process:
Clicking the link will take the user to the account creation page in eHR, where the validity of the link will be verified. The user then will enter a user name, password and confirming password:
Updating Login Informationin eHR
If a user’s login information is updated from eHR or eAdministation, the user will receive an email verifying the update.
A user may update login information from the eHR Maintain My Account page:
eSuite HR Portal > My Account link
After clicking SUBMIT, the user will receive an email generated from the Account Information Updated template from the Email Template Setup page in new world ERP:
The user also will receive an email alert when an eSuite administrator updates the user’s login information from the Employee Account Management page:
new world Administration > eHR > eEmployee > Employee Account Maintenance
Emails also will be sent as a result of the following events:
- A user account is deactivated:
new world Administration > eHR > eEmployee > Employee Account Maintenance
- A user with a valid account (Username) fails to log in successfully with the correct password after the maximum number of attemptsidentified in eHR Settings, locking the account:
new world Administration > eHR > eEmployee > Employee Account Maintenance
- The Username or Password is updated or reset from the Maintain My Account page or Employee Account Management page:
eSuite HR Portal > My Account link
new world Administration > eHR > eEmployee > Employee Account Maintenance
Maximum Failed Login Attempts
Administrators no longer have the option to allow an unlimited number of login attempts. The Maximum Failed Login Attempts in eHR Settings may be set from 1 to 10:
new world Administration > eHR > eHR Maintenance > eHR Settings
A user’s account will be locked when the maximum number of login attempts is reached for a valid user ID.
Browser Session Lock
If the maximum number of failed login attempts is reached within a single browser during attempts to log in, activate an account or reset a password using invalid identifying information, the browser session will be locked, requiring the user to close and reopen it. Below is an image of the Employee Login page showing an error message and disabled LOGIN button following the maximum number of failed attempts to log in:
User Account Lock
If the maximum number of failed login attempts is reached and the attempts include a valid user ID, the user’s account will be locked, and an email notification will be sent to the user:
Secure Email Support
An eHR Email section containing SMTP settings has been added to new world ERP System Settings Maintenance to support clients using Office 365 Exchange and Gmail:
Maintenance > new world ERP Suite > System > System Settings
If your organization uses the eHR Email section, the From Address on the Email Template Setup page in new world ERP needs to be an authenticated account for your SMTP server:
Maintenance > new world ERP Suite > System > Email Templates
If your organization does not use the eHR Email section, the Email section directly above it will be used by default.
eSuite Administrator Login Following Security Update
An eSuite administrator logging in with the default username and password of esuiteadmin and newworld123 the first time after this security update is applied will be presented with an Administrator Setup page requiring the selection of a new username and password:
This login change process will not affect other administrator accounts, only the default account.
eSuite Administrator Password Complexity Changes
A new or updated administrator password must contain between 8 and 25 characters and at least one number, one symbol and one uppercase letter:
Login/Logout Auditing
All login and logout activity ineAdministration, eHR, eSupplier and eMiscellaneous Billing will be tracked and storedin the eSuite database. The following items will be included in this audit:
- User ID
- IP Address
- Session ID
- Area Name
- Username
- Logging Type
- Message
Cross-Scripting Attacks
eSupplier and eMiscellaneous Billing have been updated to prevent cross-scripting attacks.